﻿/* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 *
 * Tom St Denis, tomstdenis@gmail.com, http://libtomcrypt.com
 * modified by ntldr, http://diskcryptor.net/
 */ 
#ifdef _M_ARM64
#include <stdlib.h>
#include <string.h>
#define __stosb memset
#define __movsb memmove
#else
#include <intrin.h>
#endif
#include "sha512_small.h"

// the K array
static const unsigned __int64 K[80] = {
	0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc,
	0x3956c25bf348b538, 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118,
	0xd807aa98a3030242, 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
	0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 0xc19bf174cf692694,
	0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
	0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
	0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4,
	0xc6e00bf33da88fc2, 0xd5a79147930aa725, 0x06ca6351e003826f, 0x142929670a0e6e70,
	0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
	0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b,
	0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30,
	0xd192e819d6ef5218, 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
	0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8,
	0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3,
	0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
	0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b,
	0xca273eceea26619c, 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178,
	0x06f067aa72176fba, 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
	0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c,
	0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
};

// initial hash value
static const unsigned __int64 H[8] = {
	0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
	0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179
};

// Various logical functions
#define Ch(x,y,z)       (z ^ (x & (y ^ z)))
#define Maj(x,y,z)      (((x | y) & z) | (x & y)) 
#define S(x, n)         (_rotr64(x, n))
#define R(x, n)         ((unsigned __int64)(x) >> (unsigned __int64)(n))
#define Sigma0(x)       (S(x, 28) ^ S(x, 34) ^ S(x, 39))
#define Sigma1(x)       (S(x, 14) ^ S(x, 18) ^ S(x, 41))
#define Gamma0(x)       (S(x, 1) ^ S(x, 8) ^ R(x, 7))
#define Gamma1(x)       (S(x, 19) ^ S(x, 61) ^ R(x, 6))

// compress 1024-bits
static void sha512_compress(sha512_ctx *ctx, const unsigned char *buf)
{
	unsigned __int64 S[8], W[80], t0, t1;
	int              i;

	// copy state into S
	__movsb((unsigned char*)&S, (const unsigned char*)&ctx->hash, sizeof(S));
	
	// copy the state into 1024-bits into W[0..15]
	for (i = 0; i < 16; i++) {
		W[i] = _byteswap_uint64(((unsigned __int64*)buf)[i]);
	}
	// fill W[16..79]
	for (i = 16; i < 80; i++) {
		W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16];
	}
	// Compress
	for (i = 0; i < 80; i++) 
	{
		t0 = S[7] + Sigma1(S[4]) + Ch(S[4], S[5], S[6]) + K[i] + W[i];
		t1 = Sigma0(S[0]) + Maj(S[0], S[1], S[2]);
		S[7] = S[6];
		S[6] = S[5];
		S[5] = S[4];
		S[4] = S[3] + t0;
		S[3] = S[2];
		S[2] = S[1];
		S[1] = S[0];
		S[0] = t0 + t1;
	}
	for (i = 0; i < 8; i++) {
		ctx->hash[i] += S[i];
	}
	// prevent leaks
	__stosb((unsigned char*)&S, 0, sizeof(S));
	__stosb((unsigned char*)&W, 0, sizeof(W));
}

// Initialize the hash state
void sha512_init(sha512_ctx *ctx)
{
	__movsb((unsigned char*)&ctx->hash, (const unsigned char*)&H, sizeof(H));
	ctx->curlen = 0;
	ctx->length = 0;
}

// Process a block of memory though the hash
void sha512_add(sha512_ctx *ctx, const unsigned char *in, unsigned long inlen) 
{
	while (inlen--)
	{
		ctx->buf[ctx->curlen++] = *in++;

		if (ctx->curlen == SHA512_BLOCK_SIZE) {
			sha512_compress(ctx, ctx->buf);
			ctx->length += 8 * SHA512_BLOCK_SIZE;
			ctx->curlen = 0;
		}
	}
}

// Terminate the hash to get the digest
void sha512_done(sha512_ctx *ctx, unsigned char *out)
{
	int i;

	// increase the length of the message
	ctx->length += ctx->curlen * 8;

	// append the '1' bit
	ctx->buf[ctx->curlen++] = 0x80;

	/* if the length is currently above 112 bytes we append zeros
	 * then compress.  Then we can fall back to padding zeros and length
	 * encoding like normal.
	 */
	if (ctx->curlen > 112)
	{
		while (ctx->curlen < SHA512_BLOCK_SIZE) {
			ctx->buf[ctx->curlen++] = 0;
		}
		sha512_compress(ctx, ctx->buf);
		ctx->curlen = 0;
	}

	/* pad up to 120 bytes of zeroes
	 * note: that from 112 to 120 is the 64 MSB of the length.  We assume that you won't hash
	 * > 2^64 bits of data... :-)
	 */
	while (ctx->curlen < 120) {
		ctx->buf[ctx->curlen++] = 0;
	}
	// store length
	((unsigned __int64*)ctx->buf)[15] = _byteswap_uint64(ctx->length);
	sha512_compress(ctx, ctx->buf);

	// copy output
	for (i = 0; i < 8; i++) {
		((unsigned __int64*)out)[i] = _byteswap_uint64(ctx->hash[i]);
	}
}
